Root Certificates Container

This website, like most of the services I host in my homelab
runs in a Docker container which is hosted in a small Kubernetes cluster. I’ll
go into more detail about the Kubernetes cluster in a later post. In this post
I want to demonstrate a very simple container I have created which bundles the
root certificates distributed with most operating systems, making them available
to the application running within.

Motivation

Imagine an application which interacts with an external resources over TLS,
perhaps a website which stores input from users into a Google Sheets document.
The Google API performs HTTP requests over TLS whenever we read from or write to
the spreadsheet.

In order to trust that our application is connecting to the authentic Google
API, web browsers and our application, use a pre-shared certificate which
validates the certificate presented when the remote server is contacted. If the
certificates “match”, then the site being contacted is legitimate.

These certificates are usually distributed with the operating system. On a Linux
computer they are often found in /etc/ssl/certs. But what about if the
application is running in a FROM SCRATCH Docker container?

A Potential Solution

Our application contacts the Google API and requires a root certificate as
previously discussed. To satisfy this requirement, we could launch our container
with a volume mount to insert the certificates from the host:

docker run -v /etc/ssl/certs:/etc/ssl/certs my-application

With this command we take the contents of /etc/ssl/certs on the host and mount
them in the same location in our running container. This works great, assuming
we know that the certificates will always be in this location on the host. But
what if we want to run our application on another host, such as a node in
a Kubernetes cluster?

Simpler Solution

I have created a tiny Docker image which contains the root certificates
necessary for your application. To use it, build the root-certs container and
tag it:

Now, you can base any containers which need the root certificates on this one.
For example, your Dockerfile might look like this:

FROM root-certs
ADD my-application
ENTRYPOINT [ "/my-application" ]

This may end up slightly more complicated in the short-run, but if you have
multiple containers which all have this requirement, it is very nice to have one
common base that satisfies this requirement for all of the applications.